Cloud Firewall provides layered intrusion prevention system (IPS) defense against worm attack chains. It detects and intercepts a variety of worms and dynamically updates and expands its capabilities based on threat intelligence from the cloud.
Business impact of worm attacks
The following issues may occur due to worm attacks:
Service interruption: Worms may carry out malicious operations, such as modifying configurations or terminating services, on compromised servers. This may cause server breakdown or service interruption.
Information theft: Worms that aim to steal information compress data on compromised servers and send the compressed data to attackers. This may cause data breaches and resource abuse.
Regulatory control: When worms spread over a network, they send a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.
Economic or data loss: Ransomware worms encrypt files on compromised servers for ransom, which can cause economic or data loss.
Common worms
The following table describes common worms that Cloud Firewall defends against.
| Worm | Spread method | Impact |
|---|---|---|
| DDG | Exploits Redis vulnerabilities and launches brute-force attacks | Uses computing resources on compromised servers to mine cryptocurrency |
| WannaCry | Exploits Windows system vulnerabilities | Compromises servers for ransom |
| BillGates | Exploits application vulnerabilities and launches brute-force attacks | Builds a botnet of compromised servers to launch distributed denial-of-service (DDoS) attacks |
Case study: DDG worm
DDG is an active worm that spreads by exploiting Redis vulnerabilities and launching brute-force attacks. Compromised servers are added to a botnet to mine cryptocurrency.
Affected systems
Servers that use weak SSH passwords
Redis or other database servers for which specific vulnerabilities exist
Business impact
Service interruption: DDG mines cryptocurrency on compromised servers, which occupies a large number of computing resources. This may affect service availability or cause service interruption.
Regulatory control: When DDG spreads over a network, it sends a large number of packets. This may trigger regulatory control on IP addresses, such as IP blocking, which results in service interruption.
Defense architecture against the DDG attack chain
Cloud Firewall detects and defends against the DDG attack chain in real time. This blocks worms and prevents them from spreading.
The following figure shows the defense architecture against the DDG attack chain.
Cloud Firewall provides the following IPS capabilities:
| IPS capability | Description |
|---|---|
| Whitelist | Trusts the source and destination IP addresses that you specify in the whitelist and does not block the traffic of these IP addresses. |
| Threat Intelligence | Scans your servers for threat intelligence and blocks malicious behavior from C&C servers based on the threat intelligence. |
| Basic Protection | Detects malware and intercepts the requests sent to or received from C&C servers or backdoors. |
| Virtual Patching | Provides virtual patches to defend your services against popular high-risk application vulnerabilities in real time. |
Configure IPS to defend against worms
Prerequisites
A Cloud Firewall instance that is activated and running
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Internet Border tab, select Block-Loose for Threat Engine Mode.
Click Whitelist and add trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to a specific whitelist.
Turn on the switches on the Basic Protection, Virtual Patching, and Threat Intelligence tabs.
For more information about IPS capabilities, see IPS configuration.